Déc 302019

In previous articles about lateral movement, we have mostly used « live » scenarios where we would either run as the victim user or we would dump secrets from (lsass) memory.

This time, lets look at dpapi secrets in « offline » scenarios.

About DPAPI, see wikipedia.

DPAPI (Data Protection Application Programming Interface) is a simple cryptographic application programming interface available as a built-in component in Windows 2000 and later versions of Microsoft Windows operating systems. In theory the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy.

DPAPI secrets are made of :
-a blob containing encrypted data, linked to a masterkey (used to decrypt the blob)
-a masterkey containing one (or several) encrypted key(s)

To decrypt a masterkey (and therefore a blob), you need the below:
-non-domain context: SID AND user password (when the masterkey was created) SHA1 hash
-domain context: SID AND user password (when the masterkey was created) NTLM hash
-local computer: DPAPI_SYSTEM secret (COMPUTER or USER part)

In the next 3 (+1) articles, we will see how to decrypt dpapi secrets.

Before doing so, I recommend reading this article.

Also, most part of the knowledge and coding is greatly (understatement here) inspired by the excellent work (another understatement) from Gentilwiki and Mimikatz.

Poster un Commentaire


Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.

Notifier de